Skip to content

v7.0.0 — Context-Aware Intelligence

Choose a tag to compare

@CaspianTools CaspianTools released this 07 Feb 17:17

Highlights

Caspian Security v7.0.0 introduces a context-aware intelligence layer — the scanner now classifies issues with confidence scores, AI fixes understand full function scope, teams can share ignore decisions via .caspianignore, and scan results export to SARIF v2.1.0 for GitHub Security Alerts.


What's New

Smart Context AI Fixes

AI fix prompts now include the entire enclosing function scope and traced variable definitions, extracted via VS Code's DocumentSymbolProvider. The AI sees the full function body instead of just 20 surrounding lines, producing significantly more accurate fixes for complex code.

  • Full function body sent to AI (not just ±10 lines)
  • Variable definitions traced backwards within function scope
  • Security-expert prompt: "Fix the issue within the function scope without breaking the surrounding logic"
  • Graceful fallback to 20-line context when no symbol provider is available

Confidence Scoring (Deep Verify)

Each detected issue now receives a confidence classification based on lightweight variable-source analysis:

Level Badge Meaning Example
Critical 🔴 Red Hardcoded secret as a string literal password = "admin123"
Safe 🟢 Green Static string with no dynamic input query = "SELECT * FROM users"
Verify Needed 🟠 Orange Dynamic value via concatenation or interpolation query = "SELECT * FROM " + input

Badges appear in the Results Panel and in VS Code diagnostics (e.g., [Critical] [Secrets] CRED001: ...).

.caspianignore File

Clicking Ignore now persists the decision to a .caspianignore file in the workspace root. Teams can commit this file to version control and share ignore decisions across machines.

# Caspian Security Ignore File
# Format: RULE_CODE file/path.ts:line # optional reason

XSS001 src/app.ts:42 # False positive, sanitized upstream
CRED001 src/config.ts # Test credentials only
  • Optional reason prompt on ignore
  • Loaded on startup, watched for live changes via FileSystemWatcher
  • Matching by rule code + file path (optional line number)

SARIF v2.1.0 Export

New Export SARIF button in the results panel header. Generates a standards-compliant SARIF file that can be uploaded directly to GitHub Security Alerts (Security tab → Code scanning → Upload SARIF).

  • Follows OASIS SARIF v2.1.0 specification
  • Includes rule definitions, severity mapping, and physical source locations
  • Severity mapping: Error → error, Warning → warning, Info → note

What's Changed

  • AI fix prompt uses a security-expert instruction when function scope is available
  • Ignore command shows an optional input box for providing a reason before writing to .caspianignore
  • Diagnostics display confidence prefix when available (e.g., [Critical] [Secrets] CRED001: ...)
  • Scanner filters out issues matching .caspianignore entries before publishing diagnostics

New Commands

  • Caspian Security: Export Results to SARIF — export scan results in SARIF v2.1.0 format

New Files

  • src/contextExtractor.ts — function scope extraction via DocumentSymbolProvider
  • src/confidenceAnalyzer.ts — lightweight variable-source confidence classifier
  • src/caspianIgnore.ts.caspianignore file management (read, write, match)

Full Changelog: https://github.com/Caspian-Explorer/caspian-security/blob/main/CHANGELOG.md